2.2.4.5.2.1 Extended Security Response

Article
06/24/2021

If the selected dialect is NT LAN Manager and the client has indicated extended security is being used, a successful response MUST take the following form. Aside from the additional notes to the SMB_Parameters.Words.MaxBufferSize and SMB_Parameters.Words.ChallengeLength fields, the new SMB_Parameters.Words.Capabilities bits, and the SMB_Data.Bytes.ServerGuid and SMB_Data.Bytes.SecurityBlob fields, all other fields are defined as specified in [MS-CIFS] section 2.2.4.52.2.

 SMB_Parameters
   {
   UCHAR  WordCount;
   Words
     {
     USHORT   DialectIndex;
     UCHAR    SecurityMode;
     USHORT   MaxMpxCount;
     USHORT   MaxNumberVcs;
     ULONG    MaxBufferSize;
     ULONG    MaxRawSize;
     ULONG    SessionKey;
     ULONG    Capabilities;
     FILETIME SystemTime;
     SHORT    ServerTimeZone;
     UCHAR    ChallengeLength;
     }
   }
 SMB_Data
   {
   USHORT ByteCount;
   Bytes
     {
     GUID ServerGUID;
     UCHAR  SecurityBlob[];
     }
   }

0	1	2	3	4	5	6	7	8	9	1 0	1	2	3	4	5	6	7	8	9	2 0	1	2	3	4	5	6	7	8	9	3 0	1
SMB_Parameters (35 bytes)
...
...
...																								SMB_Data (variable)
...

SMB_Parameters (35 bytes):

0	1	2	3	4	5	6	7	8	9	1 0	1	2	3	4	5	6	7	8	9	2 0	1	2	3	4	5	6	7	8	9	3 0	1
WordCount								Words (34 bytes)
...
...
...

Words (34 bytes):

0	8	6	4
DialectIndex		SecurityMode	MaxMpxCount
...	MaxNumberVcs		MaxBufferSize
...			MaxRawSize
...			SessionKey
...			Capabilities
...			SystemTime
...
...			ServerTimeZone
...	ChallengeLength

MaxBufferSize (4 bytes): Maximum size, in bytes, of the server buffer for receiving SMB messages. This value accounts for the size of the largest SMB message that the client can send to the server, measured from the start of the SMB header to the end of the packet. This value does not account for any underlying transport-layer packet headers, and thus does not account for the size of the complete network packet.<28>

The only cases in which this maximum buffer size MUST be exceeded are:

When the SMB_COM_WRITE_ANDX command is used and the client and server both support the CAP_LARGE_WRITEX capability (see the Capabilities field for more information).
When the SMB_COM_WRITE_RAW command is used and both the client and server support the CAP_RAW_MODE capability.

Capabilities (4 bytes): A 32-bit field providing a set of server capability indicators. This bit field is used to indicate to the client which features are supported by the server. Any value not listed in the following table is unused. The server MUST set the unused bits to zero. The client MUST ignore these bits.

These extensions provide the following new capability bits:

CAP_COMPRESSED_DATA
CAP_DYNAMIC_REAUTH
CAP_EXTENDED_SECURITY
CAP_INFOLEVEL_PASSTHRU
CAP_LARGE_WRITEX
CAP_LWIO
CAP_UNIX

The rest of the values in the capabilities table are included for completeness.

Name and bitmask	Meaning
CAP_RAW_MODE 0x00000001	The server supports SMB_COM_READ_RAW and SMB_COM_WRITE_RAW requests.<29> Raw mode is not supported over connectionless transports.
CAP_MPX_MODE 0x00000002	The server supports SMB_COM_READ_MPX and SMB_COM_WRITE_MPX requests.<30> MPX mode is supported only over connectionless transports.
CAP_UNICODE 0x00000004	The server supports UTF-16LE Unicode strings.
CAP_LARGE_FILES 0x00000008	The server supports large files with 64-bit offsets.
CAP_NT_SMBS 0x00000010	The server supports SMB commands particular to the NT LAN Manager dialect.
CAP_RPC_REMOTE_APIS 0x00000020	The server supports the use of remote procedure call [MS-RPCE] for remote API calls. Similar functionality would otherwise require use of the legacy Remote Administration Protocol, as specified in [MS-RAP].
CAP_STATUS32 0x00000040	The server is capable of responding with 32-bit status codes in the Status field of the SMB header (for more information, see [MS-CIFS] 2.2.3.1). CAP_STATUS32 can also be referred to as CAP_NT_STATUS.
CAP_LEVEL_II_OPLOCKS 0x00000080	The server supports level II opportunistic locks (oplocks).
CAP_LOCK_AND_READ 0x00000100	The server supports the SMB_COM_LOCK_AND_READ command requests.
CAP_NT_FIND 0x00000200	The server supports the TRANS2_FIND_FIRST2, TRANS2_FIND_NEXT2, and FIND_CLOSE2 command requests. This bit SHOULD <31> be set if CAP_NT_SMBS is set.
CAP_DFS 0x00001000	The server is aware of the DFS Referral Protocol, as specified in [MS-DFSC], and can respond to DFS referral requests. For more information, see [MS-CIFS] sections 2.2.6.16.1 and 2.2.6.16.2.
CAP_INFOLEVEL_PASSTHRU 0x00002000	The server supports pass-through Information Levels, as specified in section 2.2.2.3. This allows the client to pass Information Level structures in QUERY and SET operations.<32>
CAP_LARGE_READX 0x00004000	The server supports large read operations. This capability affects the maximum size, in bytes, of the server buffer for sending an SMB_COM_READ_ANDX response to the client. When this capability is set by the server (and set by the client in the SMB_COM_SESSION_SETUP_ANDX request), then the maximum server buffer size for sending data can exceed the MaxBufferSize field. Therefore, the server can send a single SMB_COM_READ_ANDX response to the client up to an implementation-specific default size.<33> When signing is active on a connection, then clients MUST limit read lengths to the MaxBufferSize value negotiated by the server irrespective of the value of the CAP_LARGE_READX flag.
CAP_LARGE_WRITEX 0x00008000	The server supports large write operations. This capability affects the maximum size, in bytes, of the server buffer for receiving an SMB_COM_WRITE_ANDX client request. When this capability is set by the server (and set by the client in the SMB_COM_SESSION_SETUP_ANDX request), then the maximum server buffer size of bytes it writes can exceed the MaxBufferSize field. Therefore, a client can send a single SMB_COM_WRITE_ANDX request up to this size.<34> When signing is active on a connection, then clients MUST limit write lengths to the MaxBufferSize value negotiated by the server, irrespective of the value of the CAP_LARGE_WRITEX flag.
CAP_LWIO 0x00010000	The server supports new light-weight I/O control (IOCTL) and file system control (FSCTL) operations. These operations are accessed using the NT_TRANSACT_IOCTL subcommand (section 2.2.7.2).<35>
CAP_UNIX 0x00800000	The server supports UNIX extensions.<36> For more information, see [SNIA].
CAP_COMPRESSED_DATA 0x02000000	Reserved but not implemented.<37> The server supports compressed SMB packets.
CAP_DYNAMIC_REAUTH 0x20000000	The server supports re-authentication.<38>
CAP_PERSISTENT_HANDLES 0x40000000	Reserved but not implemented.<39> The server supports persistent handles.
CAP_EXTENDED_SECURITY 0x80000000	The server supports extended security for authentication, as specified in section 3.2.4.2.4. This bit is used in conjunction with the SMB_FLAGS2_EXTENDED_SECURITY SMB_Header.Flags2 flag, as specified in section 2.2.3.1.

Name and bitmask

Meaning

CAP_RAW_MODE

0x00000001

The server supports SMB_COM_READ_RAW and SMB_COM_WRITE_RAW requests.<29> Raw mode is not supported over connectionless transports.

CAP_MPX_MODE

0x00000002

The server supports SMB_COM_READ_MPX and SMB_COM_WRITE_MPX requests.<30> MPX mode is supported only over connectionless transports.

CAP_UNICODE

0x00000004

The server supports UTF-16LE Unicode strings.

CAP_LARGE_FILES

0x00000008

The server supports large files with 64-bit offsets.

CAP_NT_SMBS

0x00000010

The server supports SMB commands particular to the NT LAN Manager dialect.

CAP_RPC_REMOTE_APIS

0x00000020

The server supports the use of remote procedure call [MS-RPCE] for remote API calls. Similar functionality would otherwise require use of the legacy Remote Administration Protocol, as specified in [MS-RAP].

CAP_STATUS32

0x00000040

The server is capable of responding with 32-bit status codes in the Status field of the SMB header (for more information, see [MS-CIFS] 2.2.3.1). CAP_STATUS32 can also be referred to as CAP_NT_STATUS.

CAP_LEVEL_II_OPLOCKS

0x00000080

The server supports level II opportunistic locks (oplocks).

CAP_LOCK_AND_READ

0x00000100

The server supports the SMB_COM_LOCK_AND_READ command requests.

CAP_NT_FIND

0x00000200

The server supports the TRANS2_FIND_FIRST2, TRANS2_FIND_NEXT2, and FIND_CLOSE2 command requests. This bit SHOULD <31> be set if CAP_NT_SMBS is set.

CAP_DFS

0x00001000

The server is aware of the DFS Referral Protocol, as specified in [MS-DFSC], and can respond to DFS referral requests. For more information, see [MS-CIFS] sections 2.2.6.16.1 and 2.2.6.16.2.

CAP_INFOLEVEL_PASSTHRU

0x00002000

The server supports pass-through Information Levels, as specified in section 2.2.2.3. This allows the client to pass Information Level structures in QUERY and SET operations.<32>

CAP_LARGE_READX

0x00004000

The server supports large read operations. This capability affects the maximum size, in bytes, of the server buffer for sending an SMB_COM_READ_ANDX response to the client. When this capability is set by the server (and set by the client in the SMB_COM_SESSION_SETUP_ANDX request), then the maximum server buffer size for sending data can exceed the MaxBufferSize field. Therefore, the server can send a single SMB_COM_READ_ANDX response to the client up to an implementation-specific default size.<33>

When signing is active on a connection, then clients MUST limit read lengths to the MaxBufferSize value negotiated by the server irrespective of the value of the CAP_LARGE_READX flag.

CAP_LARGE_WRITEX

0x00008000

The server supports large write operations. This capability affects the maximum size, in bytes, of the server buffer for receiving an SMB_COM_WRITE_ANDX client request. When this capability is set by the server (and set by the client in the SMB_COM_SESSION_SETUP_ANDX request), then the maximum server buffer size of bytes it writes can exceed the MaxBufferSize field. Therefore, a client can send a single SMB_COM_WRITE_ANDX request up to this size.<34>

When signing is active on a connection, then clients MUST limit write lengths to the MaxBufferSize value negotiated by the server, irrespective of the value of the CAP_LARGE_WRITEX flag.

CAP_LWIO

0x00010000

The server supports new light-weight I/O control (IOCTL) and file system control (FSCTL) operations. These operations are accessed using the NT_TRANSACT_IOCTL subcommand (section 2.2.7.2).<35>

CAP_UNIX

0x00800000

The server supports UNIX extensions.<36> For more information, see [SNIA].

CAP_COMPRESSED_DATA

0x02000000

Reserved but not implemented.<37>

The server supports compressed SMB packets.

CAP_DYNAMIC_REAUTH

0x20000000

The server supports re-authentication.<38>

CAP_PERSISTENT_HANDLES

0x40000000

Reserved but not implemented.<39>

The server supports persistent handles.

CAP_EXTENDED_SECURITY

0x80000000

The server supports extended security for authentication, as specified in section 3.2.4.2.4. This bit is used in conjunction with the SMB_FLAGS2_EXTENDED_SECURITY SMB_Header.Flags2 flag, as specified in section 2.2.3.1.

ChallengeLength (1 byte): When the CAP_EXTENDED_SECURITY bit is set, the server MUST set this value to zero and clients MUST ignore this value.

SMB_Data (variable):

0	1	2	3	4	5	6	7	8	9	1 0	1	2	3	4	5	6	7	8	9	2 0	1	2	3	4	5	6	7	8	9	3 0	1
ByteCount																Bytes (variable)
...

ByteCount (2 bytes): The number of bytes in the SMB_Data.Bytes array, which follows. This field MUST be greater than or equal to 0x0010.

Bytes (variable):

0	1	2	3	4	5	6	7	8	9	1 0	1	2	3	4	5	6	7	8	9	2 0	1	2	3	4	5	6	7	8	9	3 0	1
ServerGUID (16 bytes)
...
...
SecurityBlob (variable)
...

ServerGUID (16 bytes): This field MUST be a GUID generated by the server to uniquely identify this server. This field SHOULD NOT be used by a client as a secure method of identifying a server because it can be forged. A client SHOULD use this information to detect whether connections to different textual names resolve to the same target server when direct TCP is used. This knowledge can then be used to set the SMB_Parameters.Words.VcNumber field in the SMB_COM_SESSION_SETUP_ANDX request (see [MS-CIFS] section 2.2.4.53.1).<40>

SecurityBlob (variable): A security binary large object (BLOB) that SHOULD contain an authentication token as produced by the GSS protocol (as specified in section 3.2.4.2.4 and [RFC2743]).

Share via

2.2.4.5.2.1 Extended Security Response

Additional resources